[[PageOutline(2-5,Contents,pullout)]] = A LDAP / Active Directory password and permission store for the !AccountManagerPlugin == Description This plugin is a password store for the AccountManagerPlugin. It provides authentication and groups from [wikipedia:Lightweight_Directory_Access_Protocol Lightweight Directory Access Protocol (LDAP)] enabled services, including [http://bejy.net/downloadldap.wiki BEJY LDAP], [http://www.openldap.org OpenLdap], [wikipedia:Active_Directory ActiveDirectory] and [wikipedia:Apple_Open_Directory OpenDirectory]. Users are authenticated by performing an ldap_bind against a directory using their credentials. The plugin will also pull the email address and displayName from Directory and populate the `session_attribute` table. Key features: - Can use a service account to do lookups, or anonymous binding. - Can use SSL if [https://www.openssl.org/ openssl] is configured correctly. - Configurable: many options to deal with the differences between directories and schema. - Uses both memory and db based caching to improve performance. - Supports large directories: - Searches Groups more efficiently using Member. - Traverses up the tree to find subgroups. - Can expand directory groups into the Trac namespace. - Supports paged LDAP searches to circumvent server size limits. See: [DirectoryAuthPlugin/TheoryOfOperation TheoryOfOperation] == Bugs/Feature Requests Existing bugs and feature requests for DirectoryAuthPlugin are [report:9?COMPONENT=DirectoryAuthPlugin here]. If you have any issues, create a [/newticket?component=DirectoryAuthPlugin new ticket]. [[TicketQuery(component=DirectoryAuthPlugin&group=type,format=progress)]] == Download Download the zipped source from [export:directoryauthplugin here]. == Source You can check out DirectoryAuthPlugin from [/svn/directoryauthplugin here] using Subversion, or [source:directoryauthplugin browse the source] with Trac. == Installation === Prerequisites - You must install AccountManagerPlugin to use this plugin. - [pypi:python-ldap/ Python-LDAP] is also required. - For SSL, you will have to install and configure OpenSSL to work with valid certificates. You can test using `ldapsearch -Z`. === Installation steps General instructions on installing Trac plugins can be found on the [TracPlugins#InstallingaTracplugin TracPlugins] page. Starting from v0.3, a database upgrade will be required as part of the installation. 1. Install the plugin and its prerequisites. 1. Update the database: {{{#!sh trac-admin /var/trac/instance upgrade }}} 1. Restart the tracd service or your webserver. See [DirectoryAuthPlugin/ConfigurationExamples ConfigurationExamples]. == Common Issues - When using SSL, the server won't authenticate. Make sure you can use `ldapsearch -Z` with the same parameters from the same host, and resolve the issues there. A handy way to do that is to use: {{{ joe@admin > ldapsearch -d8 -Z -x -b dc=base,dc=net -D binding@base.net -W -H ldaps://ldap.base.net -s one 'objectclass=person' }}} The {{{-d8}}} should show you TLS errors. - If you see Trac throwing an exception similar to "OPERATIONS_ERROR: In order to perform this operation a successful bind must be completed on the connection" when you know the bind user/pass is correct, then try connecting to Active Directory on port 3268. This may happen when Active Directory is running across multiple machines. == Recent Changes [[ChangeLog(directoryauthplugin, 3)]] == Author/Contributors '''Author:''' [wiki:pacopablo] [[BR]] '''Maintainer:''' [[Maintainer]] [[BR]] '''Contributors:''' sandinak, rjollos